With the widespread use of web based applications and the Internet in general, concerns have been raised with the availability of servers against so-called denial of service attacks. A denial-of-service attack (DoS attack) or distributed denial-of-service attack (DDoS attack) is an attempt to make a computer server unavailable to its intended users. A denial of service attack is generally a concerted, malevolent effort to prevent an Internet site or service from functioning.
Denial of service attacks typically target sites or services hosted on high-profile web servers such as banks, credit card payment gateways and root servers. One common method of attack involves saturating the target machine with external communication connection requests such that it cannot respond to legitimate traffic, or responds so slowly as to be rendered effectively unavailable. In general terms, denial of service attacks are implemented by forcing the targeted server computer to reset, or consume its resources such that it can no longer provide its intended service and/or, obstructing the communication media between the intended users and the server so that they can no longer communicate adequately.
One particular denial of service attack over the Internet is a SYN based attack that sends a flood of Internet transmission control protocol (TCP) SYN packets, often with a false sender address. Each of these packets is handled like a connection request, causing the server to establish a half-open connection, by sending back a TCP/SYN-ACK packet, and waiting for a TCP/ACK packet in response from the sender address. However, because the sender address is forged, the response never comes. These half-open connections saturate the number of available connections the server is able to make, keeping it from responding to legitimate requests until after the attack ends. This consumes server CPU resources for the new connections, denying any further new connections, and effectively denying existing connections from service.
FIG. 2 shows a typical prior art server arrangement. FIG. 2 shows a network 200 that may be the Internet. The network 200 has a server 202 that receives requests from a client computer 204. It is to be understood that client computer 204 represents multiple client computers that may make requests to the server 202. In this example the requests are made in packets 206 having a header and a body according to the Transmission Control Protocol (TCP) of the Internet Protocol. The Internet Protocol allows the exchange of packets between network nodes such as the server 202 and the client computer 204. The header describes the packet's destination and packets originating from client computer(s) 204 are routed to the server 202 in this example. The requests are received by the server 202 and a response is sent back to the client computer 204. Initially, some of packets 206 include SYN requests that constitute requests for a connection between the client computer 204 and the server 202. Once a connection is established, further packets are may include requests for data or other requests for the server 202.
One type of denial of service attack involves sending multiple SYN request packets with no return addresses to the server 202. The sending of multiple SYN packets with bogus, random, otherwise invalid, return addresses is termed a stateless attack. Since the server 202 processes received packets in order, packets relating to existing connections (non-SYN packets) will be crowded out and not serviced, resulting in denial of service as shown in FIG. 2. Another form of denial of service attack is a stateful attack that sends SYN request with a return address and once an acknowledgement (ACK) is received from the server 202, no further responses are made therefore keeping a connection open and diverting server resources.